conditional access system

ABSTRACT

A conditional access system comprising a host configured to receive an incoming data stream and to supply this incoming data stream to a conditional access module, the conditional access module being configured to process the incoming data stream and to provide a corresponding output stream to the host, characterized in that the host and the conditionalaccess module are configured to engage in an authentication protocol with each other upon detection of a code embedded in the output stream.

BACKGROUND OF THE INVENTION

In conditional access audio and video delivery systems, the (audiovisualor other) data is usually delivered in protected form. Only selectedclient devices such as set-top boxes, digital televisions, personalcomputers or mobile phones, then can render, copy or otherwise use thedata. Typically this involves descrambling or decrypting the incomingdata. For security reasons these descrambling operations usually requirethe use of a smartcard or other separate conditional access module thatis in possession of the right descrambling keys.

Most of these conditional access systems are built in compliance withthe Digital Video Broadcasting (DVB) Common Interface (CI) standardEN50221 and ETSI TS 101 699. Following the terminology of thesestandards, the client device is hereafter referred to as a “Host” andthe smartcard or other conditional access module is referred to as a“CAM” (short for “conditional access module”). It will be appreciatedthat the present invention can also be used in conjunction withconditional access systems that operate in accordance with otherstandards or proprietary systems.

The CAM descrambles the incoming data and provides the result to theHost for further use. A concern with this approach is that the outputfrom the CAM can be captured or diverted in the clear, which isundesirable.

To address this concern, consideration has been given to protecting theoutput of the CAM. If the CAM delivers the output in rescrambled form tothe Host, the clear data can no longer be captured or diverted from thetransmission from CAM to Host. The key to be used for rescrambling ispreferably established by the CAM and the Host together, which impliesthe Host and the module need to verify each other's authenticity. Such aprotection scheme could become the subject of a new standard defined byDVB or a similar organization.

At the same time, there is a need to be backwards compatible. If eitherof the CAM and Host detects that the other does not support theabove-mentioned protection scheme, it must revert to the existingstandards.

SUMMARY OF THE INVENTION

The present invention recognizes for the first time that this need forbackwards compatibility introduces a security risk. The detectionprocess can only be executed by the exchange of information between theCAM and the Host. This information necessarily is in the clear, becausethe CAM and the Host have no way to establish a secure channel. Such asecure channel is simply not defined in existing DVB CI standards. Anattacker can now manipulate this exchange of information, e.g. byblocking requests for information or messages that initiate anauthentication protocol.

The security risk is that the absence of an appropriate response canalso be caused by the fact that the other party can only operate inaccordance with existing DVB standards and does not support theprotected exchange of data. The need for backwards compatibilitydictates that the data is then to be delivered in the clear. Theattacker can thus gain access to the data.

To solve this security risk, the invention provides a conditional accesssystem as claimed in claim 1. This system is based on the insight thatdetection of a unique code embedded in the data stream is more robustthan any exchange of information between CAM and Host to attempt todetect whether the protection scheme is supported or not. Based on thisinsight, the invention proposes that the Host and the conditional accessmodule engage in an authentication protocol with each other upondetection of this unique code embedded in the input or output.

Preferably the code is embedded by means of a watermark. Since thewatermark does not have to carry any information, it can be a highquality, low visibility/audibility watermark that is difficult toremove. Watermarking schemes that satisfy these requirements are wellknown per se.

In an embodiment the conditional access module is configured to embedthe code in the output before providing the output to the Host, and inthat the Host is configured to initiate the authentication protocol withthe conditional access module upon detecting the code embedded in theoutput. This embodiment allows the CAM to indicate its support forprotected data communication by embedding the code in the output.

In this embodiment preferably the Host is further configured to abortthe reception of the output upon detecting the code embedded in theoutput. Detecting the presence of the code indicates that the Host iscommunicating with a CAM that supports protected data communication. Atransmission of the output in the clear then is not necessary and mayeven be indicative of tampering of communication between Host and CAM.Such a transmission therefore should be aborted, preferably as soon aspossible.

In a further embodiment the conditional access module is configured toinitiate the authentication protocol with the Host upon detecting thecode embedded in the output. In this embodiment the code has beeninserted prior to the reception of the scrambled data stream by the CAM.The code now serves as an indication that the output may only beprovided to the Host after a successful authentication. Usually theoutput will then be provided in scrambled form.

In a variation of this further embodiment the conditional access moduleis configured to refrain from providing the output to the Host until theauthentication protocol has successfully been completed.

In a yet further embodiment the conditional access module is configuredto scramble the output using a key agreed upon in the authenticationprotocol and to supply the scrambled output to the Host. Manyauthentication protocols exist that provide the ability to agree upon akey. This key can then be used to rescramble the output before providingit to the Host, thereby protecting the data stream.

In an embodiment the Host is configured to embed a further code, uniquefor the Host, in the output provided by the conditional access module.This enables identification of the Host should the clear, unscrambledversion of the output be made available without authorization.

Preferably the code is embedded in the output by means of a watermark.Watermarks are difficult to detect and even more difficult to removewithout specific information on where the watermark resides. In somecases watermark detection requires knowledge of a specific key.Alternatively the code is embedded in the output by means of recordingthe code in a metadata field in the output. Other ways of embedding thecode are also possible.

In an embodiment the host is configured to detect the embedded code inthe input data stream. This has the advantage that detection of theembedded code can be implemented in the Host easily, since suchdetection requires little processing of the incoming data stream.

Preferably in this embodiment the embedded code indicates the presenceof at least one information element in the incoming data stream, and inwhich the host is configured to restrict its interaction with theconditional access module upon detection of the embedded code andfailure to retrieve the at least one information element from the outputstream provided by the conditional access module to the host. Theadvantage of the above embodiment is that the Host can quickly detectthe embedded code and later process the information whose presence isflagged. A tampered CAM cannot withhold this information because theHost knows to expect it. When an authentication element is used, the CAMcannot even manipulate it.

BRIEF DESCRIPTION OF THE FIGURES

These and other aspects of the invention will be apparent from andelucidated with reference to the illustrative embodiments shown in thedrawings, in which:

FIG. 1 schematically shows a conditional access system;

FIG. 2 schematically shows a first embodiment of this system;

FIG. 3 schematically shows a second embodiment of this system.

Throughout the figures, same reference numerals indicate similar orcorresponding features. Some of the features indicated in the drawingsare typically implemented in software, and as such represent softwareentities, such as software modules or objects.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The invention has application in any field where conditional access todata is desirable. This includes but is not limited to digitaltelevision and radio.

FIG. 1 schematically shows an embodiment of a conditional access system100. The system comprises a Host 101 that is operatively coupled to aconditional access module or CAM 110. The Host 101 is shown in FIG. 1 asa set-top box that receives digital conditional access televisionsignals from a headend 120 and provides an output television signal todisplay screen 130, but the skilled person will appreciate that manyother embodiments are also possible. For example, the conditional accesssystem 100 can be integrated by providing Host 101 as part of thedisplay screen 130, e.g. in the context of an Integrated DigitalTelevision or Integrated Digital TV set. Alternatively the Host 101 canbe provided as part of a mobile phone or personal computer or any ofmany other devices. The digital conditional access signals can alsocomprise audio or data, and may be read from a storage medium or bereceived from the Internet or any other source.

The Host 101 comprises a receiver 102 that receives a scrambled datastream and supplies this scrambled data stream to the CAM 110.Preferably this scrambled data stream is comprised in an MPEG-2transport stream, although of course other transport and/or encodingprotocols or schemes can be used as well. The CAM 110 descrambles thescrambled data stream and provides a corresponding output to the Host101, where a decoding module 103 decodes the output, e.g. by convertingMPEG-2 program streams to audiovisual signals, and supplies the decodedoutput to the display screen 130. These operations are well known bythemselves and will not be elaborated upon further.

A preferred embodiment adheres to the DVB CI standards mentioned above,although in principle any conditional access system and anyscrambling/descrambling or encryption/decryption mechanism can be usedwith the present invention. What matters is that the CAM 110 operates inaccordance with the right mechanism so that appropriate outputcorresponding to the input data can be provided to the Host 101.

Alternatively, instead of being scrambled, the incoming data stream maybe provided in the clear. In that case no descrambling is necessary ofcourse before embedding the code.

In accordance with the present invention, the Host 101 and the CAM 110are configured to engage in an authentication protocol with each otherupon detection of a code embedded in the output. The presence of thecode is an indication that the authentication protocol is to beperformed.

In a first embodiment, shown in FIG. 2, the CAM 110 comprises anembedding module 115 that embeds the code in the output before providingthe output to the Host. Preferably the code is embedded by means of awatermark, although the code can also be provided in metadata, such as atable in DVB-CI systems. Embedding the code may require the use of awatermarking key or secret, depending on the watermarking algorithmused. Further, embedding the code usually requires that the scrambledinput data is descrambled first.

As shown in FIG. 2, the embedding module 115 is coupled to an output ofdescrambling module 114 that in turn is coupled to a receiving module111 by means of which the scrambled data is received from the Host 101.The descrambling module 114 usually has access to a storage medium 113with the necessary descrambling or decryption keys. Alternatively thenecessary keys can be provided from a smartcard or other device, or bedownloaded from an external location. The necessary keys can be providedin conjunction with or even in a digitally signed object that indicatesone or more permitted (licensed) activities regarding the output.

The output of the embedding module 115 is coupled to an input oftransmitting module 119 which provides the descrambled output with theembedded code to the Host 101. The Host 101 in this embodiment comprisesa code detector 104 that processes the output to detect the presence orabsence of the embedded code in the descrambled output. Detection of theembedded code may require the above-mentioned watermarking key orsecret. If the embedded code is detected, the code detector 104 sends asignal to an authentication module 105 to initiate the authenticationprotocol with a corresponding authentication module 118 in the CAM 110.

While the protocol is being executed, the delivery, decoding and/orfurther processing of the output may or may not be suspended. Thischoice depends on many factors, such as the time necessary to fullyexecute the protocol. If this takes at most a few seconds, it may beacceptable to continue delivery, decoding and further processing of theoutput while the protocol is being executed. This ensures the viewingexperience of the user is not interrupted if the protocol is successful.If the protocol cannot be successfully completed, the user will only getaccess to a few seconds' worth of information.

If the protocol is successfully completed, the authentication module 105signals to the decoding module 103 that decoding and further processingof the output may commence or continue.

Preferably the Host 101 aborts the reception of the cleartext outputupon detecting the code embedded in the output. This reduces thepossibility of unauthorized access to this cleartext output. The outputcan be subsequently provided in encrypted or scrambled form instead.

In a second embodiment, shown in FIG. 3, the CAM 110 comprises the codedetector 104, which is coupled to the authentication module 118. In thisembodiment the CAM 110 initiates the authentication protocol with theHost upon detecting the code embedded in the descrambled data providedby the descrambling module 114. After a successful authentication theoutput will be provided to the Host 101.

In this embodiment the assumption is that the code has been embeddedprior to the reception of the data stream by the CAM. A preferred way ofrealizing this is to cause a headend (in DVB terminology) or othertransmitter to embed the code. Alternatively the code may be embedded bythe provider of the audio or video data involved.

One option for this embodiment is to configure the transmitting module119 to refrain from providing the output to the Host 101 until theauthentication protocol has successfully been completed. This ensuresthat the output will not be provided to an unauthorized Host 101. Thiscan be realized by e.g. configuring the code detector 104 to signal tothe transmitting module 119 when output to the Host 101 may be provided.

Another option is to configure the CAM 110 to scramble the output usinga key agreed upon in the authentication protocol and to supply thescrambled output to the Host. This of course requires the use of anauthentication protocol that also provides for key agreement or keyestablishment. Possible options are Diffie-Hellman andGuillou-Quisquater, although other protocols may also be used of course.

Several options exist in this embodiment for the case that theauthentication is not successful, or the Host does not respond torequests to initiate the authentication protocol. A first option is tonot supply any output at all. A second option is to supply a degraded,lower-quality version of the output. For example, the video quality maybe reduced from e.g. High Definition to classic television quality, oronly part of all video frames may be provided. Audio quality can bereduced in similar ways. The audio could even be omitted altogether,thus providing a video-only output.

Operations may be restricted to only so-called ‘Free-to-air’ content,only content that was provided in unscrambled form, or other content forwhich the desire of protection is low. Such unscrambled or ‘free-to-air’content may indicate that retransmission is permitted only if thecontent is scrambled before retransmission. In such a case, the outputof such content can be blocked when the autentication is not successful.

Another option is to provide the CAM 110 with an embedding module (notshown) by which a unique code can be embedded in the output before theoutput is provided to the Host 101. While now the output may beprocessed in unauthorized ways, a distribution of the output can now atleast be traced to this particular CAM.

Yet another option is to scramble the output using a key agreed upon inthe authentication protocol and to supply the scrambled output to theHost 101, as already mentioned above.

In addition or alternative to any of the above, the CAM 110 can revokethe

Host 101, e.g. by adding an identifier for the Host 101 to a blacklistor removing its identifier from a whitelist, or by reporting theidentifier for the Host 101 to a trusted third party who subsequentlyadds the identifier to a blacklist or removes the identifier from awhitelist.

In a further embodiment the Host 101 comprises a further code embedder(not shown) that embeds a further code, unique for the Host, in theoutput provided by the CAM 110. Such a further unique code may be e.g. aserial number provided in a read-only memory in the Host 101. This againenables tracing in the case of unauthorized further distribution of theoutput.

In an alternative embodiment the code has been embedded in the incomingdata stream. As explained above with reference to FIG. 1, the incomingdata stream is first received by the Host 101 and then passed to the CAM110. In this embodiment the Host 101 detects the embedded code beforethe data stream is passed to the CAM 110. If the code is detected, theHost 101 engages in the authentication protocol mentioned above with theCAM 110.

In this embodiment preferably the embedded code comprises a message withan authentication element allowing authentication of the message asoriginating from an authorized service provider, such as a digitalsignature or message authentication code (MAC) created by the serviceprovider.

Preferably in this embodiment the embedded code comprises one or moreinformation elements such as a version number, a flag to indicateblacklist or whitelist information is available in the stream, a flag toindicate copy management information or rights data is available in thestream or a flag to indicate rescrambling of the data is required. Ifany of the flags are detected, the Host 101 expects the indicatedinformation to be available in the stream as returned by thetransmitting module 119 in the CAM 110.

The embedded flags may be provided at certain predefined locations inthe incoming data stream, for example every few seconds or followingevery table or frame of a particular type. This facilitates easierdetection of the embedded flags.

A tampered CAM 110 cannot remove the blacklist, whitelist, copymanagement or other information in the stream because the Host 101expects this information in the output. If the information is providedwith an authentication element, such as a digital signature or messageauthentication code (MAC) created by the service provider, theinformation cannot be manipulated either.

Of course the Host 101 could also directly extract the blacklist,whitelist, copy management or other information from the incomingstream. This however has the disadvantage that extracting suchinformation is complex and time-consuming.

If the code is present but no information that is supposed to be presentas indicated by the flag(s) is found in the output, the Host 101 shouldrestrict its interaction with the conditional access module in a mannersimilar to the options mentioned above for the case that theauthentication between Host 101 and CAM 110 fails.

It should be noted that the above-mentioned embodiments illustraterather than limit the invention, and that those skilled in the art willbe able to design many alternative embodiments without departing fromthe scope of the appended claims. For example, although the inventionhas been presented above in the context of a DVB-style conditionalaccess system, the invention can equally well be used in systems thatprovide more complex forms of digital rights management, such as theOpen Mobile Alliance (OMA) Digital Rights Management version 2.0. Thismay apply in particular when DRM is used for systems with one-waycommunication, such as television or radio broadcast.

As another example, the code detector 104 may attempt to detect the codeat multiple intervals. This allows the detector 104 to ignore a failureto detect the code at some of the multiple detection attempts. It alsoallows the Host 101 and CAM 110 to periodically re-authenticate eachother.

Although the word “scrambling” has been used in the above, thisindicates any transformation of a signal that renders the signalunintelligible without special knowledge, such as a key. InDVB-compliant conditional access systems the Common Scrambling Algorithmwould be used. DRM systems often use encryption schemes such as AES,3DES or DES.

In the claims, any reference signs placed between parentheses shall notbe construed as limiting the claim. The word “comprising” does notexclude the presence of elements or steps other than those listed in aclaim. The word “a” or “an” preceding an element does not exclude thepresence of a plurality of such elements. The invention can beimplemented by means of hardware comprising several distinct elements,and by means of a suitably programmed computer.

In the device claim enumerating several means, several of these meanscan be embodied by one and the same item of hardware. The mere fact thatcertain measures are recited in mutually different dependent claims doesnot indicate that a combination of these measures cannot be used toadvantage.

1. A conditional access system comprising a host configured to receivean incoming data stream and to supply this incoming data stream to aconditional access module, the conditional access module beingconfigured to process the incoming data stream and to provide acorresponding output stream to the host, characterized in that the hostand the conditional access module are configured to engage in anauthentication protocol with each other upon detection of a codeembedded in the incoming data stream or in the output stream.
 2. Thesystem of claim 1, in which the conditional access module is configuredto embed the code in the output stream before providing the outputstream to the host, and in that the host is configured to initiate theauthentication protocol with the conditional access module upondetecting the code embedded in the output stream.
 3. The system of claim2, in which the host is further configured to abort the reception of theoutput stream upon detecting the code embedded in the output stream. 4.The system of claim 1, in which the conditional access module isconfigured to initiate the authentication protocol with the host upondetecting the code embedded in the output stream.
 5. The system of claim4, in which the conditional access module is configured to refrain fromproviding the output stream to the host until the authenticationprotocol has successfully been completed.
 6. The system of claim 4, inwhich the conditional access module is configured to revoke the hostupon a failure to successfully authenticate the host.
 7. The system ofclaim 1, in which the conditional access module is configured toscramble the output stream using a key agreed upon in the authenticationprotocol and to supply the scrambled output stream to the host.
 8. Thesystem of claim 1, in which the host is configured to embed a furthercode, unique for the host, in the output stream provided by theconditional access module.
 9. The system of claim 1, in which the codehas been embedded in the output stream by means of a watermark.
 10. Thesystem of claim 1, in which the host is configured to detect theembedded code in the input data stream.
 11. The system of claim 1, inwhich the embedded code indicates the presence of at least oneinformation element in the incoming data stream, and in which the hostis configured to restrict its interaction with the conditional accessmodule upon detection of the embedded code and failure to retrieve theat least one information element from the output stream provided by theconditional access module to the host.
 12. The system of claim 1, inwhich an authentication element for the embedded code is providedtogether with the embedded code.